Bug 858639 (CVE-2014-0591)

Summary: VUL-0: CVE-2014-0591: bind: named crash when handling malformed NSEC3-signed zones
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: max, meissner, ro, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:running:55990:moderate maint:released:sle11-sp2:56027 maint:released:sle11-sp1:56026 maint:released:sle11-sp3:56029 maint:running:59990:important maint:released:sle11-sp1:60337
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Swamp Workflow Management 2014-01-14 23:00:21 UTC
bugbot adjusting priority
Comment 3 Reinhard Max 2014-01-22 16:45:29 UTC
Submitted to 12.3, 13.1, SLE-10-SP4, SLE-11, SLE-11-SP2 and Factory. SLE12 will follow.

bind-9.3.4 which is contained in SLE-9-SP3-teradata and SLE-10-SP3 is not listed as vulnerable in the NIST link above.
Comment 5 Bernhard Wiedemann 2014-01-22 17:00:10 UTC
This is an autogenerated message for OBS integration:
This bug (858639) was mentioned in
https://build.opensuse.org/request/show/214727 13.1+12.3 / bind
Comment 6 Bernhard Wiedemann 2014-01-24 11:00:10 UTC
This is an autogenerated message for OBS integration:
This bug (858639) was mentioned in
https://build.opensuse.org/request/show/215020 Factory / bind
Comment 8 Ruediger Oertel 2014-01-30 10:06:30 UTC
there is a patchinfo pending for sle10-sp3 which is not vulnerable
according to comment#3

can you cancel the patchinfo ?
Comment 9 Swamp Workflow Management 2014-01-31 18:54:24 UTC
Update released for: bind, bind-chrootenv, bind-debuginfo, bind-debugsource, bind-devel, bind-doc, bind-libs, bind-libs-32bit, bind-libs-64bit, bind-libs-x86, bind-lwresd, bind-utils
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 10 Swamp Workflow Management 2014-01-31 20:29:18 UTC
Update released for: bind, bind-chrootenv, bind-debuginfo, bind-debugsource, bind-devel, bind-doc, bind-libs, bind-lwresd, bind-utils
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 11 Swamp Workflow Management 2014-01-31 20:49:31 UTC
Update released for: bind, bind-chrootenv, bind-debuginfo, bind-debugsource, bind-devel, bind-doc, bind-libs, bind-libs-32bit, bind-libs-64bit, bind-libs-x86, bind-lwresd, bind-utils
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 12 Swamp Workflow Management 2014-02-01 00:04:23 UTC
SUSE-SU-2014:0179-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 858639
CVE References: CVE-2014-0591
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    bind-9.9.4P2-0.6.1
SUSE Linux Enterprise Software Development Kit 11 SP2 (src):    bind-9.9.4P2-0.6.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    bind-9.9.4P2-0.6.1
SUSE Linux Enterprise Server 11 SP3 (src):    bind-9.9.4P2-0.6.1
SUSE Linux Enterprise Server 11 SP2 for VMware (src):    bind-9.9.4P2-0.6.1
SUSE Linux Enterprise Server 11 SP2 (src):    bind-9.9.4P2-0.6.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    bind-9.9.4P2-0.6.1
SUSE Linux Enterprise Desktop 11 SP2 (src):    bind-9.9.4P2-0.6.1
Comment 13 Marcus Meissner 2014-02-17 09:34:52 UTC
was released
Comment 15 Swamp Workflow Management 2015-03-11 19:05:19 UTC
SUSE-SU-2015:0480-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 743758,858639,908994
CVE References: CVE-2014-0591,CVE-2014-8500
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    bind-9.6ESVR11W1-0.2.1